cfbs add ssh-max-auth-tries
SSH is one of the most widely used services allowing administrators to connect and manage the system as well as being used for data transfers like backups and port forwarding.
By default 6 attempts are allowed per session. The number of attempts can be reduced to prevent brute force attacks where different passwords are guessed and tried. When half of the attempts are used up failures will be logged on the server making it more likely that an administrator will notice brute force login attempts.
Reducing this to 3
is recommended and an excellent idea in environments where the value may have been configured higher.
Add MaxAuthTries 36
to /etc/ssh/sshd_config
and run the policy:
$ grep Tries /etc/ssh/sshd_config MaxAuthTries 36 $ sudo cf-agent -KIb ssh_max_auth_tries info: Using command line specified bundlesequence info: Replaced pattern '^\s*(MaxAuthTries\s+(?!3$).*|MaxAuthTries)$' in '/etc/ssh/sshd_config.staged' info: replace_patterns promise '^\s*(MaxAuthTries\s+(?!3$).*|MaxAuthTries)$' repaired info: Edited file '/etc/ssh/sshd_config.staged' info: Copied file '/etc/ssh/sshd_config.staged' to '/etc/ssh/sshd_config.cfnew' (mode '640') info: Removed old backup '/etc/ssh/sshd_config.cfsaved' info: Backed up '/etc/ssh/sshd_config' as '/etc/ssh/sshd_config.cfsaved' info: Moved '/etc/ssh/sshd_config.cfnew' to '/etc/ssh/sshd_config' info: Updated '/etc/ssh/sshd_config' from source '/etc/ssh/sshd_config.staged' on 'localhost' info: Executing 'no timeout' ... '/bin/systemctl --no-ask-password --global --system -q restart sshd' info: Completed execution of '/bin/systemctl --no-ask-password --global --system -q restart sshd' $ grep Tries /etc/ssh/sshd_config MaxAuthTries 3
The reason that there is quite a bit of output is because it's a multi-step process:
If you run cf-agent -KI
again, there will be no output, no changes will be made, since the configuration is already correct.
This module ensures that MaxAuthTries
is set to 3
unless default:ssh_max_auth_tries.sshd_config[MaxAuthTries]
is defined via Augments in which case the value defined via augments is used for the setting in /etc/ssh/sshd_config
leveraging lib_sshd_config:global_key_values
from the library-sshd-config module.
The following variables are available for customization. If they are not defined via Augments, they will select default values.
Note: In order to target these variables from Augments CFEngine 3.18.0 or higher where the variables
key is available is needed.
default:ssh_max_auth_tries.sshd_config[MaxAuthTries]
3
)